neconyd | a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
Size

65KB
MD5

cec2e18140f848a4bdf3f31242799e90
SHA1

4294a95ade835ac820e932dd61eb68e0afd10f6f
SHA256

a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091
SHA512

b7758c24b2329f1468a33c68fe2d1928e058bd035531330fdccfd52517843cabdee5740186c5a5facb64d9976ceb9f2d9bc07bb4fa289bc565ec8bbdc2d2e0af
SSDEEP

1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hz:0dseIO+EZEyFjEOFqTiQmRHz

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2768	omsecor.exe
1244	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2768	3904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	82
PID 3904 wrote to memory of 2768	3904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	82
PID 3904 wrote to memory of 2768	3904	a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe	82
PID 2768 wrote to memory of 1244	2768	omsecor.exe	92
PID 2768 wrote to memory of 1244	2768	omsecor.exe	92
PID 2768 wrote to memory of 1244	2768	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe
"C:\Users\Admin\AppData\Local\Temp\a290a68132f85a1923664244d7ee9f31dbf888138b6897f6fe4629dbbd0b3091N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
68c03c4d83d873929845bb88d0824e3e

SHA1
638c67fc569cea49a21315d931a128baddafe2f4

SHA256
82ad67c8c85abdbe0a44c05e1dd857a564f29cc0712e357fa66fefec08dfba27

SHA512
ae1fb628ecb60207eba2ae3e69743cc8424a8cc21559c6ddc0b7a564f663d1134a997c40fda6b2f2b19e9bbd6d0710bfe18b09d791617a9e8e33387e1465da66

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
7b0849d80e40e10ad34045d6599e652d

SHA1
c33f2223d40b4ef92b3e4f8de551cc72e01e0102

SHA256
c87cb4aa800c36a219510585b8c3cd2f010d8776306362272304f433e63c6704

SHA512
9408ef8ef350500ddb551f8cc962063e5d69b6bc29f64eeb4f3c42a5d62ccb4c5a9c05b0597235fe4dfd7cfac7ddd6d2f3a270e75472101eb7a885caaa13e8ed

Download Submit
memory/1244-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1244-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2768-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2768-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2768-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3904-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3904-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download